1 |
On 27 Jan 2010, at 00:34, walt wrote: |
2 |
> ... |
3 |
> After thinking awhile I realized that pam can be used to |
4 |
> combine muliple forms of authentication to reduce the well |
5 |
> documented risk of single-factor authentication (like our |
6 |
> traditional password system). |
7 |
> ... |
8 |
> Any sysadmins out there that can confirm my reasoning? |
9 |
|
10 |
I use pam_winbind at a site to enable users to logon to the Dovecot |
11 |
IMAP server using their Windows domain username & password. |
12 |
|
13 |
Once the underlying mechanism is setup it requires very little work to |
14 |
enable this - for ftp authentication (restricted to localhost only, |
15 |
but this allows Squirrelmail users to add a vacation message) I needed |
16 |
to touch, I am sure, nothing but the /etc/pam.d/ftp file. Dovecote |
17 |
requires only one or two extra lines in its config. With one |
18 |
additional line in /etc/pam.d/imaps a homedir is created for the user |
19 |
the first they log into the IMAP server (pam_mkhomedir.so). |
20 |
|
21 |
This list may not consider this such a cool use of PAM as using long |
22 |
encryption keys to authenticate themselves, but I have found PAM |
23 |
amazing when it all comes together so quickly. PAM seems quite |
24 |
powerful & flexible, although I too seem to recall having a |
25 |
frustrating experience when I encountered it, without understanding |
26 |
it, years ago. |
27 |
|
28 |
Stroller. |